Device and method to detect spoofing of a terminal

ABSTRACT

A terminal to calculate a position and detect spoofing, the terminal includes a receiver of first signals, notably signals of a GNSS type, from first sources, to compute a first information relative to its position, as for instance a pseudo range measurement, an ephemeris, a navigation message, spatial coordinates or temporal coordinates, and to calculate a position; a receiver of a second signal of a non-RF and non-GNSS type from a second source, notably from an optical display, the second signal comprising a second information transmitted using a predetermined encoding format to retrieve said second information; a processing logic configured to detect spoofing by comparing the first and second information. The associated transmitters, authentication server and spoofing detection methods are also provided.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a National Stage of International patent applicationPCT/EP2018/082414, filed on Nov. 23, 2018, which claims priority toforeign European patent application No. EP 17306726.5, filed on Dec. 8,2017, the disclosures of which are incorporated by reference in theirentirety.

FIELD OF THE INVENTION

The present invention relates generally to the field of positioningtechniques. More particularly, it describes a receiver and associatedmethod to detect spoofing and discrepancies in a receiver computing aposition, notably when this receiver is a GNSS (acronym for GlobalNavigation Satellite System) receiver.

BACKGROUND PRIOR ART

Applications based on positioning information are taking an increasingplace in today's society. These include Location Based Services (LBS),which intend to provide to some user a content that is relevant to itsposition, like augmented reality applications, navigation systems, andmany others. This trend is expected to further increase with theemerging markets of autonomous vehicles (cars, trucks, boats, . . . ),and secure transactions. Among the existing positioning techniques,GNSS-based techniques have proven to be the best candidates outdoor,because they provide high accuracy with a worldwide coverage. For indoorapplications, many technologies are available, as for instance Wi-Fitriangulation (notably WIFISLAM™), GPS coordinates combined withinformation retrieved from various sensors like a compass, gyroscope,pedometer and/or accelerometer, or positioning information provided byBluetooth, Wi-Fi or VLC (Visible Light Communication) beacons. However,indoor positioning techniques provide a lower accuracy than GNSSpositioning techniques.

GNSS positioning techniques have been used and improved for many yearsnow. Two Global Navigation Satellite Systems (GNSS) have been fullydeployed for a number of years (the US Global Positioning System (GPS)and the Russian GLONASS) and two more are under deployment (the ChineseBeidou Navigation Satellite System and the European Galileo™ system).

The way GNSS systems operate is the following: a fleet of satellites,embedding high precision atomic clocks, transmit at specific timessignals made of a navigation message modulated by a pseudo randomsequence, further modulated and shifted to a carrier frequency. Thevarious signals are transmitted on the same carrier frequency but usedifferent pseudo random sequences. The navigation message comprisesinformation like the transmission time of the message, and informationabout the position of the various satellites, called ephemeris. On thereceiver side, the signals are separated based on their pseudo randomcode. From the reception time of the signals and the transmission timeretrieved from the navigation message, the receiver can calculate aninformation called pseudo-range, which is representative of a distancebetween the receiver and the associated satellite. When a receiver hascalculated at least four pseudo ranges, it can solve position equationsthat comprise four unknown variables: latitude, longitude, altitude andtime. The solution of these equations is known as a Position, Velocityand Time (PVT) estimate.

However, GNSS receivers are vulnerable to signal spoofing attacks.Indeed, in current civilian GNSS applications, positioning informationis not protected and there is a general lack of authenticationinformation. In commercial or military applications, the positioningsignals might be protected using specific or time varying pseudo randomcodes but this protection is limited and can easily be circumvented.Thus, spoofing can be a major safety issue, in particular with regard toautonomous vehicles, and the development of countermeasures to deal withspoofing is a major challenge for deployment of future reliableGNSS-based applications.

There are many ways to spoof GNSS positioning signals using a groundtransmitter. Due to the proximity with the receiver, spoofing signalstransmitted from terrestrial transmitters are received by GNSS receiverswith higher power level than legitimate signals transmitted from thesatellites, and generally overshadow these signals.

A first way to spoof a positioning signal is to use a terrestrialtransmitter to record, delay and replay legitimate GNSS signals. Thistechnique is known as “meaconing”. Due to the fact that the receivedsignal is delayed and does not come directly from a legitimatesatellite, the position and time calculated by the victim receiver aredistorted.

Another way to spoof is to generate a complete fake GNSS signal, inorder to transmit false and misleading navigation signals that will beinterpreted by the receiver as legitimate information and lead to awrong positioning of the victim receiver.

Another way is to transmit spoofing signals that are synchronized withthe authentic GNSS signal, and to slightly alter the informationcontained in the navigation message to progressively drift the PVTcomputation. This method of spoofing is one of the most difficult todetect as the transition of the receiver from the legitimate signals tothe spoofing signals is made slowly and gradually.

Likewise, indoor positioning techniques based on the transmission of aspecific positioning signal can be easily spoofed by transmitting aspoofing signal with a higher power level.

Another type of spoofing consists in modifying a receiver in a way thatit calculates a position that is different from its actual position.This type of spoofing is not performed by substituting a legitimate RFsignal but by a software manipulation of the raw data used by the PVTcomputation engine, by a software manipulation, performed over the PVTthat output of the receiver, at the API (Application programminginterface) level, or even at the software and/or OS (operating system)level. For example, the pseudo ranges to GNSS satellites calculated by asmartphone can be modified so that the PVT calculation leads to apredetermined result. Alternately, the content of the NMEA sentences(acronym for National Marine Electronics Association), that containposition and time information, may be altered to match a predeterminedresult. This type of spoofing is an issue when the position of thereceiver is used to authenticate a transaction. For example, softwarespoofing applications have become particularly widespread when thePokémonGo™ game was released: users where able to catch Pokémons allaround the world without leaving their house. What can be seen asanecdotal when applied to a game can have more severe repercussions whendealing with authenticating a transaction like a package delivery or abanking payment.

To some extent, jamming may also be considered as some type of spoofingattack. Indeed, it may be used to block the GNSS signal reception anddisable the position measurement. For example, when a receiver that hasacquired a first position (which may have been spoofed) faces jamming,it may be unable to process the GNSS signals. At the software level,this situation may be interpreted as a “non-moving” receiver i.e. havingfixed position. Some examples are known for trucks and delivery serviceswhich routes were altered with this approach while avoiding detection atthe receiver level. Although GNSS jamming is not legal in mostcountries, equipments are commercially available.

Many techniques are known to detect spoofing of GNSS signals. Most ofthem are based on detection of sudden AGC variations of the receivedsignals, on detection of multiple synchronization peaks, or on detectionof correlators' outputs distortions. However, these techniques are notreliable when the receiver evolves in urban propagation environments,where the signal is prone to suffer from multipath reflections andsudden and temporary masking.

Although spoofing attacks can also be, to a certain extent, mitigated byadding cryptographic authentication to the navigation signals and/ornavigation messages, the cost for deploying an encrypted satellitesignal can be high and encryption does not protect from meaconing, i.e.recording, delaying and retransmitting legitimate GNSS signals.

To detect software circumvention done to a receiver in order to spoofits position, the coherency of the position over time can be evaluated:when the receiver goes from Paris to London in a few seconds,probability of spoofing is high. However, it is more difficult whenspoofing is performed at a slow and regular speed (with regard to theapplication considered).

Therefore, spoofing and jamming of GNSS signals create in particular arisk for location-based services. GNSS is used as a sensor for manysafety-critical applications and is a crucial sensor for timing andsynchronization of reference stations for telecommunications, electricalpower supplies, exchange markets and banks. There is consequently a needfor a solution to confirm the existence or absence of spoofing in areceiver, in order to control the risk incurred when using aposition/time information provided by a receiver. Notably, there is aneed that the solution provided is simple enough to be deployed on alarge scale at limited extra costs.

SUMMARY OF THE INVENTION

It is an object of the invention to provide improvements over the priorart by implementing a two-factors validation of a positioning signal. Tothis end, the invention discloses a terminal to calculate a position anddetect spoofing. The terminal according to the invention comprises areceiver of first signals of a GNSS type received from first sources,configured to compute one or more first information relative to aposition of the terminal, the first information being one or more of apseudo range measurement, an ephemeris, a navigation message, spatialcoordinates or temporal coordinates, and to calculate a position. Itfurther comprises a receiver of a second signal of a non-GNSS typereceived from a second source external to the terminal, the secondsignal comprising a second information relative to a positiontransmitted using a predetermined encoding format, configured toretrieve said second information. Finally, the terminal comprises aprocessing logic configured to detect spoofing based on a comparisonbetween the first information and the second information.

According to one advantageous embodiment of the invention, the secondsignal is an optical signal transmitting the second information as amachine-readable optical label.

According to another embodiment, the second signal is an optical signalusing Visible Light Communication.

According to another embodiment, the second signal is a short range RFsignal, advantageously selected from a set of technologies comprisingRFID communications, Bluetooth™, Zigbee™ and Wi-Fi.

According to still another embodiment, the second signal is an acousticsignal.

The invention further concerns a terminal, to calculate a position anddetect spoofing, comprising a receiver of one or more first signalsreceived from one or more first sources, configured to compute orretrieve one or more first information relative to a position of theterminal from said first signals, the first information being one ormore of a pseudo range measurement, spatial coordinates or temporalcoordinates, and to calculate a position. The terminal further comprisesa receiver of a second signal displayed as a machine-readable opticallabel by a second source external to the terminal, the second signalcomprising a second information relative to a position transmitted usinga predetermined encoding format, configured to retrieve said secondinformation. The terminal further comprises a processing logicconfigured to detect spoofing based on a comparison between the firstinformation and the second information.

According to one embodiment, spoofing is detected when a differencebetween the first information and the second information is above athreshold, which may be adaptive.

Advantageously, the second signal may further comprise an authenticationkey, the terminal being further configured to use the authentication keyto retrieve the second information.

In another embodiment, the one or more second signals are encrypted, theterminal being further configured to decrypt the second information.

According to an embodiment of a terminal according to the invention, thesecond information is related to a position of an equipment from whichit is transmitted.

The invention also covers a transmitter, configured for transmitting asignal of a non-GNSS type carrying an information being one or more of apseudo range measurement, an ephemeris, a navigation message, spatialcoordinates or temporal coordinates, where the information istransmitted in an encoding format previously made available to a set ofterminals and where the information is adapted to be compared to anotherpositioning information by a terminal in the set of terminals,advantageously through the display of a machine-readable optical label.

In an advantageous embodiment, the information transmitted is timevarying. The transmitter may also be associated to an authenticationkey, and be further configured to transmit the information using anencoding format relying on said authentication key, and/or to encryptsaid information.

In addition, the invention concerns a server comprising an access to adatabase of:

-   -   registered transmitters as of any of the previously presented        embodiments;    -   registered terminals as of any of the previously presented        embodiments;        and further comprising one or more communication links        configured to transmit to the registered transmitters and the        registered terminals one or more encoding formats to be applied        to the non-GNSS signals.

Advantageously, the server may be configured to generate authenticationkeys associated to the registered transmitters of the database.

The invention may involve a method of calculating a position anddetecting spoofing in a terminal, which comprises the steps of:

-   -   receiving first signals of a GNSS type from first sources, to        compute one or more first information relative to a position of        the terminal, the first information being one or more of a        pseudo range measurement, an ephemeris, a navigation message,        spatial coordinates or temporal coordinates, and calculating a        position;    -   receiving a second signal of a non-GNSS type from a second        source outside the terminal, the second signal comprising one or        more second information transmitted using a predetermined        encoding format, to retrieve said second information;    -   detecting spoofing by comparing the first information and the        second information.

It also comprises a method of calculating a position and detectingspoofing in a terminal, which comprises the steps of:

-   -   receiving one or more first signals from one or more first        sources, to compute or retrieve one or more first information        relative to a position of the terminal, the first information        being one or more of a pseudo range measurement, spatial        coordinates or temporal coordinates, and calculating a position;    -   receiving a second signal displayed as a machine-readable        optical label by a second source outside the terminal, the        second signal comprising a second information transmitted using        a predetermined encoding format, and retrieving said second        information;    -   detecting spoofing based on a comparison between the first        information and the second information.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention will be better understood and its various features andadvantages will emerge from the following description of a number ofexemplary embodiments and its appended figures in which:

FIG. 1 describes an embodiment of the invention wherein spoofingdetection is performed on a GNSS receiver at the PVT level;

FIG. 2 describes an embodiment of the invention wherein spoofingdetection is performed on a GNSS receiver at raw data level;

FIG. 3 represents an embodiment of a terminal according to theinvention;

FIG. 4 represents a network according to an embodiment of the inventionwherein the signals used to determine the position of the receiver areGNSS signals;

FIG. 5 represents a network according to another embodiment of theinvention wherein the signals used to determine the position of thereceiver may be delivered by beacons;

FIGS. 6a and 6b describe two embodiments of the invention wherein apositioning spoofing detection is performed through positioninginformation displayed as a QR-code;

FIGS. 7a and 7b represent flow charts of methods to detect spoofingaccording to two embodiments of the invention.

The examples disclosed in this specification are only illustrative ofsome embodiments of the invention. The invention in its broader aspectsis therefore not limited to the specific details, representativemethods, and illustrative examples shown and described.

DETAILED DESCRIPTION OF THE INVENTION

In what follows, unless indicated otherwise, when it comes to a GNSSreceiver, what is called “positioning information” is the set ofinformation required to determine a PVT computation, meaning spatialcoordinates (latitude, longitude, and altitude), and temporalcoordinates (time information). When it comes to another positioningtechnique, the positioning information may be limited to spatialcoordinates transmitted to the receiver, associated or not with a timeinformation.

The invention concerns a method and associated equipments to detectspoofing in a receiver, based on the consideration of two data linksproviding information about a position of the receiver. The first datalink gives accurate positioning information, while the second data linkprovides positioning information whose accuracy depends on the choiceand configuration of the data link and expected performances of theanti-spoofing technique. The two position datasets are compared todetermine whether or not the receiver might suffer spoofing.

To determine the occurrence of spoofing, the invention is based on:

-   -   calculating an intermediate or final positioning information        from signals dedicated to this end, like for instance GNSS        signals,    -   retrieving a corresponding information from another data link,        and    -   comparing the two pieces of information to determine if the        receiver is likely to be spoofed or not.

Thus, an attacker willing to spoof a positioning system would have tospoof both the positioning system and the alternate data link to achievehis goals, increasing thus dramatically the complexity of the spoofing.

The second positioning information is not required to have a highaccuracy, as it is not to be used to determine a position of thereceiver, but to support a validity of the first measurement. Thus, tosome extent, its transmission does not require using high accuracytransmission equipment, latency constrained data links, and complexreception chains, and can be implemented at a low cost.

In what follows, the invention will be described focusing on twoexemplary embodiments. Each of the exemplary embodiment shows specificadvantages and benefits:

-   -   in the first implementation example, the first data link is a        GNSS data link, providing an accurate positioning information.        This data link is privileged as it is very accurate outdoor and        is prone to suffer spoofing, but can hardly be considered for        indoor positioning. This implementation is recommended for        outdoor applications, like for instance self-driving vehicles;    -   in the second implementation example, the second data link is        providing the second positioning information through the display        of a machine-readable optical label, as for instance a QR-code.        Indeed, displaying a QR-code is low cost, short range, can be        made non invasive using invisible light, and is quite robust to        spoofing due to its directivity and its limited propagation        range. The data link providing the first positioning information        can be any type of data link, which makes this implementation        recommended for indoor applications.

Each of those two exemplary can be declined in several embodiments, andcan be combined, using GNSS positioning along with QR-code display forinstance.

FIG. 1 describes an embodiment of the first implementation example ofthe invention, wherein the positioning information is calculated on GNSSpositioning signals. In this embodiment, the spoofing detection isperformed at the PVT level, the positioning information considered forcomparison being spatial coordinates and/or temporal coordinates.Modules represented in dotted line are optional.

The receiver 100 according to this embodiment of the invention comprisesa first receiving chain (101, 102, 103, 104) to receive and process GNSSsignals. This receiving chain first filters, down-converts and digitizesthe GNSS signals through a GNSS RF chain 101. An optional anti-spoofingprocessing 102 can be performed over the digitized signals, as well asany other signal processing treatment, as for instance multipathmitigation, jammers rejection, or any other relevant processing. Then,the received signals are processed (103), to demodulate, and whenrelevant decrypt, a navigation message, and track each of the GNSSsignals in order to retrieve raw data, like for instance pseudo ranges(a pseudo range being an estimated range between a specific satelliteand the receiver), Doppler shift estimate or any other relevantinformation. Then, when at least four pseudo ranges are retrieved, a PVTsolution is determined (104), meaning that spatial coordinates(latitude, longitude and altitude) and temporal coordinates (timinginformation) of the receiver are calculated.

Operations performed in modules 101 to 104 are classical processing ofGNSS receivers.

The receiver according to this embodiment of the invention furthercomprises a second receiving chain (111, 112, 113, 114), configured toreceive positioning information from non-GNSS signals. These non-GNSSsignals may be, but are not limited to, RF (Radio Frequency) signals oroptical signals, a camera configured to capture an optical messagecarrying an information about a position being one possible embodimentof this second receiving chain. The non-GNSS signal is acquired (111)and processed (112) depending on the nature of the data link used forthe transmission.

In this embodiment, the information transmitted within the non-GNSSsignal are spatial and/or temporal coordinates, transmitted using forexample ECEF coordinates (acronym for Earth Centered-Earth Fixed).

The receiver is further configured to compare (114) the spatial and/ortemporal coordinates computed from the GNSS signals during the PVTcomputation with those carried by the non-GNSS signal. Any discrepancyshall be considered as a possible spoofing situation.

The two positioning information are not expected to be strictlyidentical, as the non-GNSS position does not generally have the sameaccuracy as the GNSS position. Indeed, the transmitter in charge ofemitting the non-GNSS signal does not know the exact position of thereceiver and the propagation time required to reach it, and can onlytransmit information about its own position or the position of an areain which the receiver might be positioned, knowing the expected rangeand directivity of the non-GNSS transmission. In addition, the non-GNSStransmitter is not required to have a high accuracy. However, the GNSSmeasurements and the information transmitted using the non-GNSS signalsare expected to be in a similar range. The difference between these twopositioning information may be compared to a threshold that is setdepending on a plurality of parameters. Among these parameters are theexpected range of the non-GNSS transmitter, its accuracy, as well as thecriticality of the spoofing detection, and others. For instance, thethreshold value (spatial threshold/time threshold) could be set at 100m/0.1 sec for critical applications, and 500 m/1 minute for mass marketapplications. The value of the threshold may also be adapted dependingon various parameters as for example the characteristics of theenvironment or the time elapsed since the last GNSS signal acquisition.For instance, to detect spoofing in a receiver embedded in a roadvehicle, the spatial positioning threshold may be set to 100 m, andreduced to 50 m or even less in dense urban environments, or when thedensity of transmitters of the non-GNSS signal is high, i.e. when theyare close one to each other. The threshold may also be adapted dependingon the type of use. For instance, a truck used for critical goodstransportation may use a constraining threshold when loaded with goods,and a softer one when empty. The threshold value should therefore bechosen depending on the usage, expected probability of detection,probability of false alarms and probability of wrong detection.

When one or more of the differences between the GNSS and non-GNSSpositioning measurements (over spatial and/or temporal coordinates) areabove the threshold, the GNSS positioning information is declaredinvalid. A specific action may also be triggered, as for example,displaying a spoofing flag or an alarm, denying a position authenticitycheck, requesting a confirmation measurement, or any other relevantaction. Multiple flag levels can be defined, depending on the value ofthe difference, and/or a frequency of spoofing detection. Some alertsmay also be sent to the GNSS receiver, so that the GNSS algorithms takeinto account the presence of spoofing for further processing of the GNSSsignals. For instance, the parameters of anti-spoofing algorithms 102may be modified to provide more robustness, or PVT measurements may becomputed from various combinations of pseudo ranges until they fit thecomparison with the non-GNSS positioning information, in order to detectwhich GNSS signals are spoofed. Indeed, in some cases, only a limitednumber of satellite signals may be spoofed, and rejecting these signalswhen performing the PVT computation may be a good countermeasure.

Obviously, the quality of the spoofing detection depends on theprecision of the non-GNSS positioning information, the range of thenon-GNSS transmission, and the value of the threshold, but also on thenumber of pieces of information that are compared. A spoofing detectioncomparing temporal coordinates only will be less efficient than aspoofing detection comparing spatial coordinates (meaning threepositioning information), which will be less efficient than a spoofingdetection comparing both spatial and temporal information. In addition,transmitting time-varying information, as temporal coordinates orephemeris, further improves the robustness against spoofing.

In order to further improve the robustness of the spoofing detectionmethod embedded in a receiver according to the invention, thepositioning information that is transmitted through the non-GNSS linkmay be encrypted. This encryption severely increases the complexity foran attacker to generate fake non-GNSS signals, and spoof both the GNSSand non-GNSS signals. Thus, the service provided by the invention caneasily be restricted to a limited set of users with a low implementationcost, contrary to encryption of GNSS signals, which requires dedicatingexpensive satellite resources to a limited set of users. To this end,the non-GNSS position information may be encrypted using keys sharedwithin a limited set of receivers. The encryption may be symmetric orasymmetric. The receiver according to this embodiment is thereforeconfigured to decrypt (113) the non-GNSS positioning information.

A mechanism to authenticate transmitters may also be implemented. Tothis end, non-GNSS transmitters can associate an authentication keyalong with the positioning information. Thus, non-GNSS positioninginformation provided by transmitters that are unknown to the receivermay be rejected. In another embodiment, the authentication key can beassociated to a predetermined coding, interleaving or encryption dataformat applied to the useful information transmitted in the non-GNSSsignals, thus further improving the robustness to spoofing.

The invention consequently provides a protection over spoofing with avery limited number of modifications to existing GNSS receivers. Indeed,its implementation may be achieved merely by adding an extra chain forreceiving a secondary non-GNSS positioning information, and performing acomparison between both GNSS and non-GNSS positioning information. Thecomparison over one or both of the spatial and temporal coordinates maybe implemented using the computation resources of the GNSS receivers asits cost is very low. Concerning the additional non-GNSS receptionchain, depending on the embodiment of the receiver, in order to furtherreduce the implementation cost, it can be achieved usinghardware/software modules already available in most already existingGNSS receivers, as will be described hereafter.

Still focusing on the first implementation example of the invention,FIG. 2 describes a GNSS receiver 200 according to another embodiment ofthe invention.

In this embodiment, the information measured from the GNSS signals andretrieved from the non-GNSS signals to be compared are raw data, as forinstance pseudo ranges or all or part of navigation messages.

When this information is a pseudo range, the non-GNSS pseudo range,which is relative to a distance between the non-GNSS transmitter and onespecific satellite, may be compared (214) to the pseudo range measuredfrom the corresponding GNSS satellite. When the difference between thosetwo pseudo ranges is above a threshold, the pseudo range measurementmight suffer spoofing: a spoofing flag may be displayed to indicate thatthe PVT measurement might be erroneous, and/or specific actionsintended, for example removing the corresponding GNSS pseudo range fromthe PVT computation 204 or replacing it by the pseudo range provided bythe non-GNSS signal.

Advantageously, the comparison may be made by processing simultaneouslyor alternately pseudo ranges from various satellites of the GNSSconstellation. To this end, the non-GNSS data link transmitssimultaneously or alternately various pseudo ranges, along with anidentifier of the considered satellite. This way, the validity of eachof the GNSS pseudo ranges can be checked concomitantly or one afteranother.

The raw data considered for comparison may also be navigation messages,or specific fields of the navigation messages. The comparison may belimited to some specific fields, because some fields delivertransmission time, and cannot be compared easily. Among the variousfields, the ephemeris field is of particular interest. Indeed, theephemeris field is an easy way for an attacker to spoof a GNSS signal.In that case, the match between the GNSS and non-GNSS ephemeris shall beexact, otherwise a flag may be displayed and/or a specific action willbe taken.

The embodiment of a receiver according to the invention presented inFIG. 2 differs from the one of FIG. 1 in that the comparison between theGNSS and non-GNSS information is not performed at the PVT level, butover raw data which are intermediate processing of the GNSS positioning.According to an alternate implementation, the receiver might use bothtime/spatial coordinates and raw data. To this end, the non-GNSS signaltransmitted shall comprise alternately or simultaneously both raw dataand positions.

According to one embodiment of a receiver according to the invention,the receiver according to the invention may be a terminal as representedin FIG. 1 or 2, comprising a processing device for receiving andprocessing both GNSS and non-GNSS signals, and the processing logicrequired to compare the two positioning pieces of information. Thisreceiver might be for instance a smartphone, a tablet, a personalcomputer, an automobile (autonomous or not), or any Internet of Things(IoT) device equipped or not with a GNSS receiver.

According to another embodiment, represented in FIG. 3, a receiveraccording to the invention is a terminal comprising both:

-   -   a GNSS receiver 301, designed to receive GNSS signals,        processing said signals, and providing raw data and/or a spatial        and/or temporal coordinates, and    -   a non-GNSS receiver 302, designed to receive a non-GNSS signal        and to process said signal to retrieve the information        contained, the information being raw data, spatial coordinates        and/or time coordinates.        The terminal shall further comprise a processing logic 303,        configured to compare the information carried by the GNSS and        non-GNSS signals, and to determine whether or not the GNSS        signals are prone to be spoofed.

This receiver might be for instance a device with some processingcapabilities, for instance a smartphone or an onboard computer,connected to a GNSS receiver and/or non-GNSS signal acquisitionequipment, or having dedicated chipsets. The processing logic may beembedded in a software application configured to display the result ofthe comparisons.

Nowadays, many equipment available on the market come equipped withchips dedicated to process GNSS signals and various RF communicationsstandards. Most of the smartphones comprise means to communicate via 2G,3G, 4G, Wi-Fi (IEEE 802.11) and Bluetooth™ standards, in addition toGNSS capabilities. It is also the case for many cars, cameras, drones,and other mass market equipment such as IoT devices. When not available,the computation chain required to implement the additional non-GNSSprocessing can be implemented in a receiver over a calculation machinesuch as a software reprogrammable calculation machine (microprocessor,microcontroller, digital signal processor (DSP), . . . ), a dedicatedcalculation machine (Field Programmable Gate Array (FPGA), ApplicationSpecific Integrated Circuit (ASIC), . . . ), or any other appropriatemean. The acquisition part of the additional chain may be implemented inhardware and/or software, depending on the platform considered toprocess the non-GNSS data link.

Concerning the technology used as non-GNSS data link, many possibilitiesare available. Advantageously, but not restrictively, this data link maybe implemented in a technology that provides a short (but sufficient)range, in order to provide relevant positioning information about thereceiver's position, and to further improve the complexity of an attackover the GNSS signal. Indeed, as an attack to spoof the GNSS signalsused by a receiver according to the invention will be detected, theattacker has to spoof both the non-GNSS and GNSS transmissions to avoidsuch detection. This is why the second data link shall be different fromthe first data link, its independency guarantying the reliability of thetwo-factor validation of the positioning. Advantageously, limiting therange of the non-GNSS signal to short ranges limits the impact andpotentialities of attacks. The range depends on type of application thatis expected from the positioning measurement: for a GNSS receiverembedded in a car, the range expected from the second data link may beof tens or hundreds of meters, while for static uses (as for exampleauthenticating a transaction) it may be in the order of a few meters. Italso depends on the criticality of the positioning application. Forinstance, the range could be different for a same car when the car ismoving and when the car is parking.

In an embodiment, the non-GNSS transmission used for transmittingpositioning information to be compared with information measured fromthe GNSS signals is formed with machine-readable optical labels, likeQR-codes™ (abbreviation for Quick Response codes). Such codes are twodimensional bar codes.

Using time-varying QR-codes as second data link implies at least thefollowing advantages:

-   -   displaying and capturing a QR-code only uses optical channels        and there is no common mode with GNSS transmission. An attacker        willing to spoof a positioning signal will have to spoof both        the GNSS signals and the QR-code display, which increases the        complexity and cost of the attack. In addition, the display of a        QR-code is a local and directive way of transmitting        information. To spoof this display, the attacker has to show up        or find a way to display its own QR-code between the legitimate        QR-code and the receiver, which limits the range of the spoofing        to a restricted area;    -   A GNSS receiver/camera pair is common in most mass market        devices/equipments (including many different categories of        devices such as smartphones, autonomous cars, . . . );    -   The technology for implementing a camera into an equipment is        mature, and camera chipsets can be found at a low cost;    -   QR-codes are easy to display (LED billboards, screens, video        projectors, e-ink-displays, . . . ) and can be placed anywhere;    -   Display of QR-codes is a one-way link, which limits the        possibility for an attacker to infiltrate and/or modify them;    -   Opportunity displays are possible (for instance at the bottom        corner of a screen), and usually no extra dedicated        infrastructure may be required.

The QR-code may be modified periodically, in order to update the timeinformation it contains, in particular when the spoofing detection isbased on comparing time varying information, like ephemeris or atemporal position.

According to an embodiment of a transmitter according to the invention,the transmitter according to the invention does not send time-varyinginformation: the data transmitted is limited to spatial positioninginformation. In this embodiment, the transmitter may be very limited, asfor instance a display panel of any type.

According to an embodiment, where the information transmitted comprisesa time-varying content, the transmitter is connected to a wired orwireless network in order to retrieve the relevant information, as forinstance its position, a time information, and/or raw data. It isconfigured to generate a QR-code comprising this information, and todisplay the QR-code.

In another embodiment, the QR-code is computed over a remote server andtransmitted through the network to the transmitter for display.

In another embodiment, the transmitter is standalone. Depending on theinformation transmitted within the QR-codes, it may comprise a clockthat delivers temporal information, or may have spatial coordinatesprogrammed into an internal memory. Advantageously, the transmitteraccording to the invention may comprise dedicated equipment orcomputational resources for receiving GNSS signals and determining theinformation that is transmitted through the QR-code, as for instancespatial or temporal positioning information (coordinates), an ephemeris,or any raw data. Indeed, the receiver being spoofed does not necessarilymean that the transmitter is also spoofed, as the transmitter is not atthe same position than the receiver and may implement more robustspoofing mitigating algorithms or directive antennas. In that case, theadvantage of such a transmitter is that it can operate autonomously, andcan be moved to meet punctual anti-spoofing needs.

Into each of the previous embodiments of a transmitter according to theinvention, the QR-codes used to transmit the positioning information maybe encrypted, so that the robustness of the system against spoofing isfurther improved. They may also be transmitted along with anauthentication key, so that the receiver only processes data sent byknown and certified transmitters. Another way to improve the robustnessmay be to associate the authentication key with a predetermined coding,interleaving or encryption data format, which is applied to thetransmitted positioning information.

When the non-GNSS and GNSS information to be compared have a limitedlifetime, as for instance when the non-GNSS data transmitted containstemporal positioning information, or ephemeris, the rate at which theQR-codes must be updated does not necessarily have to be high, since theaccuracy of the time information that is carried by the QR-code only hasto be sufficient for a receiver to detect discrepancies between the GNSSand non-GNSS signals. This information is not used for positioningpurposes, contrary to the information retrieved from the GNSS signals.Thus, for a time information, updating the QR-codes with a 1 Hz datarate for example shall be sufficient for non-critical applications. Whenthe data transmitted over the QR-codes comprises ephemeris, the dataupdate rate can be reduced to a few hours (typically as low as three orfour hours). Higher refresh rate of the QR-codes may be considered, totransmit more information, as for example alternating transmission ofraw-data (pseudo ranges) and positioning information (spatial and/ortemporal), or in order to increase the accuracy of the time information.To some extent, a refresh rate of thirty or more frames per seconds canbe considered, such a data rate being handled by most cameras for signalacquisition. Obviously, this data rate shall take into consideration thethreshold embedded on the receivers for spoofing detection.

QR-codes can be sized in various formats, depending on the number ofdata bits to be carried. The choice shall be made according to the typeof data to be transmitted. For example, a QR-code comprising bothspatial and temporal information can be sized as follows:

-   -   Latitude: from −90° to +90°, with a meter-level resolution, can        be coded over 28 bits;    -   Longitude: from −180° to +180°, with a meter-level resolution,        can be coded over 29 bits;    -   Altitude: from −1000 m to 10000 m, with a meter-level        resolution, can be coded over 14 bits;    -   Time: using unambiguous Week Number (WN) over 10 000 weeks        (which covers about 190 years) and Time Of Week (TOW, ranging        from 0 to 604800 sec) with a millisecond-level resolution, can        be coded over 37 bits.

In this exemplary implementation, presented for illustration purposesonly, 108 bits are necessary to transmit the position and timeinformation. In that case, the information representative of a positionand time can be implemented using version 1 with medium (M) errorcorrection (128 bits) or version 2 with high (H) error correction (128bits) QR-codes. The number of bits required may be increased in order toadd cryptography, authentication keys, or additional signal processingalgorithms such as error correcting codes or checksums, enhancing thusthe robustness of the transmission.

In another exemplary implementation, a coarse position and timeinformation is first transmitted in the QR-code, using a limited amountof bits. An offset to this coarse information is also transmitted in theQR-code, in order to refine this coarse position. This reduces thenumber of data bits to be carried. Other embodiments are possible, asfor instance transmitting the coarse position without any encryption oradditional correction (additional error correcting code, checksum, . . .), and the offset to this position with encryption or additionalcorrection, providing thus an additional protection within a limitedamount of data bits.

When transmitting raw data, like pseudo ranges or ephemeris, the size ofthe QR-codes may be reduced, by transmitting only ephemeris concerningthe position of a limited set of satellites, as for instance satellitesin view of the transmitter, or by transmitting ephemeris concerningsatellites selected randomly. Advantageously, ephemeris transmission canbe limited to the transmission of a difference with regard to typicalvalues, or to some variant of Hatanaka's compression techniques forRINEX (acronym for Receiver INdependent EXchange format) files.

QR-codes display can be performed using display panels (placed alongroads or at specific points of interest), LCD displays or videoprojectors, the QR-codes being projected over buildings or over the roadunder the form of pictures or of a 50 or 60 Hz video. Transmission ofpositioning information comprising time varying information (temporalpositioning information) increases the security as the time of life ofthe information displayed through the QR-codes is very limited. Whenthey do not carry time-varying information, QR-codes may advantageouslybe displayed over static supports (billboards). Projection of QR-codesmay be performed using invisible light, like for instance infrared light(700 to 1000 nm), in order to be as discreet as possible. In addition,the position of the projection can vary over time, in order to furthercomplicate tasks for an attacker willing to spoof the non-GNSS signal byprojecting with a high intensity false QR-codes over the legitimateQR-codes.

Acquisition (111) of QR-codes into a receiver according to oneembodiment of the invention requires a two-dimensional digital imagesensor, like a camera embedded in the receiver. The camera shall beadapted to the carrier frequency of the optical signal: for example, ifthe QR-codes are transmitted on an infrared light carrier, the camerashall be configured to acquire such signals. However, most of the photosensors have the capability to operate in part of the infrared light.The receiver shall further comprise a calculation machine, dedicatedchipset or application to process (112) QR-codes and retrieve the usefulinformation that it contains. This processing comprises an errorcorrecting decoding, that may for instance be a Reed Salomon decoding inthe case of a QR-code. The format in which useful data is transmittedshall be known from the receiver.

According to another embodiment of the invention, the non-GNSSinformation is transmitted through an RF link, and preferably, through ashort range RF link, so that the positioning information transmitted isrelevant to the position of the receiver. The way the transmitteroperates, and various implementation embodiments, is similar to the onesdescribed for QR-codes transmitters, except that the transmission ismade over an RF carrier instead of a light carrier.

Various types of short range RF communication standards may be used toimplement the invention, including Bluetooth™, ZigBee™, Wi-Fi™, or RFID(acronym for Radio Frequency IDentification). The choice of the standardused to implement the data link mostly depends on the application.Advantageously, the RF signal can be broadcast to a limited area ofinterest, using a directive antenna.

The transmitter according to the invention using RF communication linksmay be standalone, or may retrieve the relevant information from aremote network, before modulating and transmitting it. The receiveraccording to the invention comprises at least an antenna and a RFreception chain, to acquire (111) and digitize the signal, and processit (112) in order to retrieve the relevant data.

According to another embodiment, the data link for transmitting thenon-GNSS signal is an acoustic link, the receiver using a microphone toacquire the signal. This embodiment can easily be implemented in asmartphone, without interfering with other RF communications. In orderto limit the audio pollution created by this transmission, the signalmay use non-audible acoustic frequencies within the microphone'sbandwidth. For instance, frequency bandwidth [18 kHz-22 kHz] isinaudible for most of the people, but belongs to the acquisition band ofmost of the microphones.

According to another embodiment, the data link for transmitting thenon-GNSS signal is provided by an optical link, using VLC (Visible LightCommunications). In this embodiment, acquisition (111) of the signal maybe done using a light sensor. This embodiment is particularlyadvantageous as it has a short range, can easily be made directive, anduses visible and/or invisible light.

In order to be correctly interpreted, the positioning informationtransmitted through the non-GNSS data link must be encoded using aformat that is known by the receivers.

According to one embodiment, the data format shall be programmed overeach of the transmitter and receivers. However, this way to operate doesnot allow easy changes of the data format.

The invention may further use a server comprising an access to adatabase wherein each of the transmitters and receivers belonging to anetwork of equipments implementing the anti-spoofing method according tothe invention are registered. The server is configured to send to thetransmitters and receivers, through any kind of communication link(wired, RF, RFID, . . . ), the encoding format to be applied for thenon-GNSS data transmission. This transmission may be effected during thefirst start of the equipments, or may be effected at various timeintervals.

The encoding format may comprise a frame structure, including thevarious fields of the frame and the associated sizes, as well asparameters used for signal encoding, as for instance, depending onimplementation choices, an error coding scheme, an interleaving scheme,and encryption key, etc. . . . . This way, the format in which thepositioning information is transmitted can be modified at will by theserver, without introducing incompatibilities issues of the varioustransmitters/receivers equipments.

In addition, the server may comprise a generator of authentication keys,and may be configured to propagate these authentication keys through thenetwork of registered transmitters and receivers, so that each member ofthe network has an up to date list of the registered equipments. Each ofthe transmitters is associated to an authentication key. Advantageously,a specific coding/interleaving/encrypting scheme of the positioninginformation may be associated to each of the encryption key. Forinstance, the authentication key may be used as a seed for interleavingthe positioning information transmitted. Thus, each transmitter uses itsprivate encoding data format, the receivers being able to determine theappropriate data format to use for signal decoding from theauthentication key associated to the positioning information.

The authentication key may in some embodiments be refreshedperiodically, in order to preclude an attacker from performingmeaconing.

FIG. 4 illustrates a network according to the invention, comprising aterminal 401 configured to compute a PVT measurement from first GNSSsignals transmitted by satellites 411, 412, 413 and 414. The GNSSsignals could also have been transmitted through other means, as forinstance GNSS repeaters or pseudolites. The network further comprises atransmitter 402 according to the invention, configured to transmit asecond signal comprising a navigation message, an ephemeris, spatial ortemporal coordinates, or a combination thereof. The transmitter 402shall be different from the transmitter of the first signals. The secondinformation must come from the outside of the receiving terminal 401, asuse of internal data, as for instance the various internal sensors of asmartphone, to confirm the position computed do not prevent fromsoftware alteration of the data they provide. This second transmissionmust be an external data link, preferably provided by a data link thatdo not share a common mode with the first one (for instance, relying ontwo GNSS data links is less robust to spoofing than a GNSS link and ashort range RF link). In FIG. 4, the second transmission is performedthrough the use of a QR-code, displayed for instance over a LCDbillboard. Use of a non-RF data link a second data link, like forinstance using optical signals or acoustical signal, is particularlyadvantageous as it is generally short range and directive, whichimproves the robustness to spoofing. Terminal 401 is configured toacquire the QR-code, retrieve the data transmitted, and compare thisdata with the GNSS data computed, in order to validate or not the GNSSPVT measurement.

In addition, the network may comprise a server 403, configured totransmit to the various transmitters and terminals of the network theformat in which data are encoded in the QR-code. Data link 420 thatconnects the server to the various equipments can be any kind of wiredor wireless link, as for instance an Ethernet network, a 3G or 4Gnetwork, a Wi-Fi network . . . . The server and the equipments do nothave to be continuously connected: transmissions from the server can beperformed just once at the first start of the equipments, at givenmoments of time, periodically, continuously . . . .

The server may comprise or may be linked to a database where thetransmitters and terminals of the network are registered. Anauthentication key is assigned to each of the transmitters andcommunicated to the terminals. This authentication key is transmittedalong with the positioning information within the QR-code, so that thereceiver can approve or not the validity of the non-GNSS transmission.In an alternate embodiment, positioning information sent within theQR-codes is encrypted using an encryption key that relies on theauthentication key of the transmitter. In another embodiment, the servermay communicate to each transmitter and terminal of the network anencryption key to be used for non-GNSS transmissions.

FIG. 5 describes an embodiment of another implementation example of anetwork according to the invention, wherein the positioning informationis calculated from non-GNSS positioning signals, and the secondtransmission is made of a machine-readable optical label, as the displayof a QR-code. The first and second implementation examples are notexclusive and can be mixed.

The various embodiments described in relation with the firstimplementation example of the invention (GNSS+any second data linkdelivering data to be compared with the GNSS processing) apply equallyto this example, in particular considerations about size and datacontained in the QR-code, accuracy of the information contained in theQR-code, and the authentication of the various equipments used totransmit said QR-code.

The implementation example of FIG. 5 is adapted to be deployed in indoorenvironment, as for example in a shopping mall or in a warehouse, whereGNSS transmissions do not operate. In this embodiment, the firstpositioning information is acquired from a non-GNSS data link, as forinstance by performing ranging over a plurality of Wi-Fi access pointsusing a RSSI approach (acronym for Received Signal Strength Indication).In that case, the receiving chain is close to the one described in FIG.1 for GNSS signals: at least three pseudo ranges between the receiverand various Wi-Fi access points are calculated from received signalpower measurements, these pseudo ranges being used to compute a PVTmeasurement. According to another embodiment, represented in FIG. 5, thenon-GNSS data link is provided by Bluetooth™, VLC or RFID beacons (orany other suitable communication mean) transmitting a position. In thatcase, the position transmitted is the position of the transmitter, butthis position is considered by the receiver to be its own position, asthe technologies employed are low-range technologies. The accuracy ofthe position determined is lower than the accuracy of an outdoor GNSSpositioning measurement, but GNSS positioning cannot be deployed indoor.The value of the threshold set to compare the two position measurementsmust be chosen accordingly.

FIG. 5 represents such an embodiment of a system, wherein a terminal 501receives a first position measurement from a VLC beacon 502 transmittingin visible or invisible light (or a RF data link provided by aBluetooth™ equipment for instance), and a second positioning informationfrom the display of a QR-code 503.

In addition, the equipment 503 displaying the QR-codes and the receiver501 may be connected to a server 504, configured to transmit to thevarious transmitters and terminals of the network the format in whichdata are encoded by the QR-code. The server and QR-code transmitter areconnected through a wired or wireless data link 510, as for instance anEthernet network, a 3G or 4G network, a Wi-Fi network . . . . The serverand the equipments do not have to be continuously connected:transmissions from the server can be performed just once at the firststart of the equipments, at given moments of time, periodically,continuously . . . .

The server may comprise or may be connected to a database wherein thetransmitters and terminals of the network are registered. Anauthentication key is assigned to each of the transmitters, andcommunicated to the terminals of the network. This authentication key istransmitted along with the positioning information within the QR-code,so that the receiver can approve or not the validity of the non-GNSStransmission. In an alternate embodiment, positioning information sentwithin the QR-codes are encrypted using an encryption key that needs tomatch the authentication key of the transmitter. In another embodiment,the server can communicate to each transmitter and terminal of thenetwork an encryption key to be used with the machine-readable opticallabel.

FIG. 6a represents a terminal, as for instance a smartphone, accordingto an embodiment of the invention that corresponds to the secondimplementation example, wherein the second positioning information isdirectly provided by a data link.

The terminal 600 comprises a first receiving chain to receive (601) oneor more non-GNSS signals, as for instance Wi-Fi, Bluetooth™′ VisibleLight Communications or RFID signals, perform the processing required toextract the useful data from the message (602), and perform optionaldeciphering processing (603) to recover the information carried by thesignal about the position of the receiver, the position being either atemporal positioning or a spatial positioning or a combination thereof.

The terminal 600 further comprises a second receiving chain to acquire(611) a machine-readable optical label, perform the processing requiredto extract (612) the useful data from the optical label, and performoptional deciphering processings (613) to recover the informationcarried by the signal about the position of the receiver.

The receiver finally comprises some processing resources to compare bothpositioning pieces of information. When the difference between the twopieces of positioning information is above a threshold, the receivertakes the appropriate action, as for instance raising a flag orinvalidating the positioning measurement.

In another embodiment represented in FIG. 6b , the first positioninginformation is retrieved by triangulating Wi-Fi access points whosepositions are known. The receiver comprises a Rx Chain 621 to receiveand digitize Wi-Fi signals transmitted in various channels. Thedigitized signals are processed (622) simultaneously or alternately, asfor instance to measure a received power level for each signal. From theknown position of the access points and the measured power level, pseudoranges calculations (623) are made, said pseudo ranges being used todetermine a position by triangulation. In that case, the data compared(624) may be pseudo range measurements and/or position measurements,depending on the type of positioning information transmitted through theQR-codes (pseudo ranges or spatial positions).

The invention allows detecting spoofing by comparing positioning datatransmitted through two distinct data links, the two data links usingadvantageously different propagation supports. The type of technologyused to provide the positioning information is not as important as thefact of providing a two-factor validation of the position of a receiver,which increases the difficulty for an attacker to spoof both signals.For instance, one data link may use RF signals and the other one opticalsignals. The purpose of the second data link (as for example amachine-readable optical label) is not to increase the quality of thepositioning, but to detect spoofing. However, the informationtransmitted through this data link may also be used for other purposes,as for example to fasten the signal acquisition of a GNSS receiver.

By comparing positioning data acquired from two different communicationlink, the receiver according to the invention can reliably detectspoofing, whatever the spoofed data link is, and may also provide anadditional robustness to positioning errors due to difficult propagationconditions, or jamming.

Typical applications of the invention concern spoofing detection of GNSSpositioning devices, notably when the sensitivity of the application ishigh, as for instance with autonomous vehicles, but also to improve thesecurity of transactions. For instance, to validate a banking operation,a payment terminal may be equipped with a LCD screen to display QR-codescomprising information like time and spatial coordinates. When asmartphone is used for the payment, it flashes the QR-code displayed onthe payment terminal. If its own position, acquired from GNSS signals orfrom RF beacons, does not match the position transmitted through theQR-code displayed on the payment terminal, at least one of the twopositions is suspicious. The banking payment may be refused, or the bankinformed. The invention may also be used to assert package deliveries:QR-codes transmitting local positioning information are positioned atplaces where packages are to be delivered. When the deliveryman reachesits destination, it flashes a QR-code which, when it matches theposition delivered by the GPS receiver of the deliveryman, asserts thatthe package has been delivered at the expected place, reducingeliminating or mitigating the consequences if the position given by theGPS receiver has been hacked, either by a spoofing of the GPS signals orby software spoofing of the receiver.

The invention further concerns a method to calculate a position anddetect spoofing in a terminal. This method applies to first signals usedto compute a position, like for instance GNSS signals, and secondsignals, like for instance non-GNSS signals. FIG. 7a represents a flowchart of a first embodiment of the method. It comprises three mainsteps:

-   -   receiving GNSS signals (701) from GNSS sources, like satellites        or ground-based station transmitting GNSS signals (GNSS        repeaters or GNSS pseudolites), and processing said signals to        calculate at least one first information relative to the        position of the terminal. This first information is a        positioning information that may be a pseudo range measurement,        an ephemeris, a navigation message, spatial coordinates,        temporal coordinates, or a combination thereof;    -   receiving a non-GNSS signal (702) from a second source, the        second source being different from the GNSS sources and external        to the receiver, as for instance Bluetooth™, Wi-Fi, RFID or VLC        transmitters. The non-GNSS signal processed to retrieve one or        more second information transmitted using a predetermined        encoding format, the second information being of the same type        as the first information;    -   comparing said first and second information to detect spoofing.        When the comparison is above a threshold, the appropriate        actions may be performed (raise a flag, deny position        authentication, remove a specific pseudo range from a PVT        calculation, etc. . . . ).

FIG. 7b represents a flow chart of another embodiment of the method,suitable in particular to indoor environments, where GNSS signals cannotbe received. It comprises three main steps:

-   -   receiving one or more first signals (711) from first sources, as        for instance Bluetooth™, Wi-Fi, RFID or VLC beacons, or Wi-Fi        access points. The first signals are any type of signal that can        be used to determine a position of the receiver. At least one        first information is computed or extracted from said first        signals, the information being relative to a position of the        terminal. This first information may be a pseudo range        measurement, spatial coordinates or temporal coordinates, or a        combination thereof;    -   receiving a second signal (712) displayed as a machine-readable        optical label, as for instance a QR-code, that comprises one or        more second information transmitted using a predetermined        encoding format. The second information is of a same type as        said first information. The second information will be extracted        from the second signal;    -   comparing said first and second information to detect spoofing.        When the comparison is above a threshold, the appropriate        actions may be performed (raise a flag, deny position        authentication, remove some pseudo range from a PVT calculation,        etc. . . . ).

Within each method, the first and second steps can be performed eithersimultaneously or alternately. The methods may further be supplementedby steps of authentication of the transmitters, in order to improvetheir robustness.

The invention is based on the use of a second communication channel, notnecessarily RF, to transmit coarse positioning information that can beone or more of a pseudo-range value, an ephemeris, spatial coordinatesor temporal coordinates. This information is to be compared with aprimary positioning information computed from GNSS signals to assert thevalidity of a positioning estimate.

Depending on the embodiment, the invention can easily be implementedover already existing GNSS receivers or smartphones, and do not requirehigh implementation costs to develop and deploy transmitters. Therobustness to spoofing can be increased by introducing data encryptionover the second data link, without modifying the primary data link,which is important in particular when the positioning is performed usingGNSS systems, or to be integrated in already existing positioningnetworks.

Using a short range data transmission for the second data link, and, ifpossible, a directive one, makes the spoofing of this signal verycomplex to an attacker, and very short range. In addition, contrary tostate of the art spoofing detection techniques, the spoofing detectionmethod according to the invention is not sensitive to multipathreflections of the GNSS signals and to unexpected AGC variations. Thus,it is well suited to be used in urban or indoor environments, and istherefore complementary with other anti-spoofing algorithms.

While some embodiments of the invention have been illustrated by adescription of various examples, and while these embodiments have beendescribed in considerable details, it is not the intent of the applicantto restrict or in any way limit the scope of the appended claims to suchdetails. The invention in its broader aspects is therefore not limitedto the specific details, representative methods, and illustrativeexamples shown and described.

The invention claimed is:
 1. A terminal to calculate a position anddetect spoofing, comprising: a first receiver configured to receivefirst signals from one or more first sources, and configured to computeone or more first information based on the one or more first signals,wherein: the first information includes at least one of a pseudo rangemeasurement, a satellite ephemeris, a satellite navigation message,spatial coordinates or temporal coordinates, and the first receiver isconfigured to calculate a position of the terminal using the firstinformation; a second receiver configured to receive a second signal anda third signal, wherein: the second signal is in the form of amachine-readable optical signal from a machine-readable optical labeldisplayed by a second source outside the terminal, the third signalprovides an encoding format of the second signal, the second signalcomprises a second information of a same type as the first information,the second receiver is configured to retrieve the second informationemploying the encoding format provided by the third signal; and aprocessing logic configured to detect spoofing based on a comparisonbetween the first information and the second information.
 2. Theterminal of claim 1, wherein the first signals are GNSS signals.
 3. Theterminal of claim 1, wherein the machine-readable optical label is aQR-code.
 4. The terminal of claim 1, wherein spoofing is detected when adifference between the first information and the second information isabove a threshold.
 5. The terminal of claim 4, wherein the threshold isadaptive.
 6. The terminal of claim 5, wherein the second signal furthercomprises an authentication key, the terminal being further configuredto use the authentication key to retrieve the second information.
 7. Theterminal of claim 5, wherein the second signals are encrypted, theterminal being further configured to decrypt the second information. 8.The terminal of claim 5, wherein the second information is related to aposition of an equipment from which the second signal is transmittedfrom.
 9. A network comprising: a set pf terminals of claim 5; and atransmitter, for transmitting the second signal carrying the secondinformation, wherein the second information is one or more of a pseudorange measurement, a satellite ephemeris, a satellite navigationmessage, spatial coordinates of the transmitter, or temporalcoordinates, wherein the second information is transmitted in theencoding format made available to the set of terminals and is adapted tobe compared to another positioning information by a terminal in the setof terminals.
 10. The network of claim 9, wherein the transmittertransmits the second information through a display of themachine-readable optical label.
 11. The network of claim 9, wherein thesecond information transmitted by the transmitter is time varying. 12.The network of claim 9, wherein the transmitter is associated to anauthentication key, and is further configured to transmit the secondinformation using a key encoding format relying on the authenticationkey.
 13. The network of claim 9, wherein the transmitter is furtherconfigured to encrypt the second information.
 14. The network of claim 9further comprising: a database in communication with a server; multipletransmitters registered in the database; and multiple terminalsregistered in the database, wherein: the server is configured totransmit to the transmitters and the terminals registered in thedatabase one or more encoding formats to be applied to the secondinformation transmitted from the transmitters to the terminals.
 15. Thenetwork of claim 14, wherein the server is further configured togenerate authentication keys associated to the transmitters registeredin the database.
 16. A method of calculating a position and detectingspoofing in a terminal, comprising the steps of: receiving one or morefirst signals from one or more first sources; computing one or morefirst information based on the one or more first signals, wherein thefirst information is one or more of a pseudo range measurement, asatellite ephemeris, a satellite navigation message, spatial coordinatesor temporal coordinates; calculating a position of the terminal usingthe first information; receiving a second signal in the form of amachine-readable optical signal from a machine-readable optical labeldisplayed by a second source outside the terminal, the second signalcomprising one or more second information of a same type as the firstinformation; receiving a third signal providing an encoding format ofthe second signal; retrieving the second information using the encodingformat; and detecting spoofing by comparing the first information andthe second information.
 17. The terminal of claim 5, wherein the firstsignal comprises the satellite ephemeris.